---
title: redirect_validation
sidebarTitle: redirect_validation
---

# `fastmcp.server.auth.redirect_validation`


Utilities for validating client redirect URIs in OAuth flows.

## Functions

### `matches_allowed_pattern` <sup><a href="https://github.com/jlowin/fastmcp/blob/main/src/fastmcp/server/auth/redirect_validation.py#L8" target="_blank"><Icon icon="github" style="width: 14px; height: 14px;" /></a></sup>

```python
matches_allowed_pattern(uri: str, pattern: str) -> bool
```


Check if a URI matches an allowed pattern with wildcard support.

Patterns support * wildcard matching:
- http://localhost:* matches any localhost port
- http://127.0.0.1:* matches any 127.0.0.1 port
- https://*.example.com/* matches any subdomain of example.com
- https://app.example.com/auth/* matches any path under /auth/

**Args:**
- `uri`: The redirect URI to validate
- `pattern`: The allowed pattern (may contain wildcards)

**Returns:**
- True if the URI matches the pattern


### `validate_redirect_uri` <sup><a href="https://github.com/jlowin/fastmcp/blob/main/src/fastmcp/server/auth/redirect_validation.py#L28" target="_blank"><Icon icon="github" style="width: 14px; height: 14px;" /></a></sup>

```python
validate_redirect_uri(redirect_uri: str | AnyUrl | None, allowed_patterns: list[str] | None) -> bool
```


Validate a redirect URI against allowed patterns.

**Args:**
- `redirect_uri`: The redirect URI to validate
- `allowed_patterns`: List of allowed patterns. If None, all URIs are allowed (for DCR compatibility).
             If empty list, no URIs are allowed.
             To restrict to localhost only, explicitly pass DEFAULT_LOCALHOST_PATTERNS.

**Returns:**
- True if the redirect URI is allowed

